Experiencing a proplem with pap authentication using Freeradius 2.2.2

dwnek at dollartree.com dwnek at dollartree.com
Fri Nov 15 17:38:00 CET 2013


Hello Alan,

> We currently run 3 instances of freeradius 2.1.8 on Red Hat Enterprise 4
> 32-bit and it works flawlessly for us.  Thank you for that!  I have built
a
> Red Hat Enterprise 6 64-bit server and installed freeradius 2.2.2 on it.
> When I change the RADIUS Server IP address on a device that currently
works
> with the RHEL4/freeradius 2.1.8 to the IP address of the new server, I am
> unable to authenticate.

  RADIUS is *very* dependent on IP addresses.

>> I understand. I had even shutdown the IP on the production server for a
moment
>> and brought up the same IP on the new server, modified the listen lines
in
>> radiusd.conf and restarted radius on the new server..but no change.

> Here is the output from starting up freeradius 2.2.2 in -Xxx debug mode

  PLEASE follow instructions.  We don't need the extra crap produced by
"-Xxx".  Just "-X" is good enough.

>> Okay, henceforth I will only post -X output.

> and
> an attempt to authenticate.  If anyone can help me to resolve this I
would
> be greatly appreciative.  I can answer any questions and post
configuration
> file contents if required.

  The point of the debug output is that you usually don't need to post
the config files.  The ones which are used produce useful information in
the debug output.  The ones which aren't used don't matter.

>> Okay, henceforth I will refrain from offering to post config files.

> Fri Nov 15 09:25:30 2013 : Info: ++[eap] = noop
> Fri Nov 15 09:25:30 2013 : Info: [files] users: Matched entry dwnek at
line
> 22
> Fri Nov 15 09:25:30 2013 : Info: [files]        expand: Hello,
%{User-Name}
> -> Hello, dwnek

  So... what's that entry on line 22?  Does it contain a password for
the user?

>> The entry on line 22 of the users file is my username of dwnek.  The
>> following two lines contain the following..
>>      Reply-Message = "Hello, %{User-Name}",
>>        Symbol-Admin-Role = SuperUser,

> Fri Nov 15 09:25:30 2013 : Info: [pap] WARNING! No "known good" password
> found for the user.  Authentication may fail because of this.

  Which means that entry doesn't contain a password for the user.

>> That is correct. On the old server we are using passwords in /etc/shadow
to
>> authenticate users.

>> I got it working by uncommenting the "unix" line under the "authorize"
section
>> of the raddb/sites-available/default file. I am hoping that this was the
best
>> way to fix authenticating users via /etc/shadow? I am guessing that I
should
>> probably uncomment it under the "authenticate" and "accounting" sections
as
>> well?

Thank You,
Derek



More information about the Freeradius-Users mailing list